[146244] in North American Network Operators' Group
RE: XO blocking individual IP's
daemon@ATHENA.MIT.EDU (Blake T. Pfankuch)
Mon Nov 7 23:34:37 2011
From: "Blake T. Pfankuch" <blake@pfankuch.me>
To: "clayton@haydel.org" <clayton@haydel.org>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Tue, 8 Nov 2011 04:34:23 +0000
In-Reply-To: <741f8279bada1343342d857e18f7495d.squirrel@emailmg.ipower.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Oh yes! Good lord I about went insane with this. I was working with a cus=
tomer single homed to cBeyond. I spent 3 hours on the phone with cBeyond t=
o figure out what was going on, it looks like a broken route. Come to find=
out it was an XO "security null". The engineer on the phone from cBeyond =
said to me "Well, I have learned 2 things today. 1, XO nulls for 'security=
purposes' at random. 2, I am no longer shocked by any ridiculous policy I=
will ever come across again."
In this case majority traffic was going from cBeyond to anywhere (via XO) a=
nd being eaten, however it was VERY tough to diagnose as all parties involv=
ed assumed this would not be occurring between source and destination witho=
ut good public documentation or at least any record of this happening to so=
meone else. Also I guess we all assumed that major bandwidth players don't=
filter anything.
I personally think its good on paper, but very bad real life until there is=
a way to notify the end customer of the violation quickly. This issue lit=
erally took 3 full weeks to figure out what was going on. Yes this works g=
reat in a colo datacenter as you have the customer contact info (hopefully)=
. But in the case where my customers provider was having the IP filtered b=
y their transit it was hell to diagnose. In my case the customer had a sin=
gle infected machine that was making outbound connections on TCP3389 in the=
range of about 100 connections every 5 minutes and because of this was ent=
irely being "security nulled".
Blake
-----Original Message-----
From: clayton@haydel.org [mailto:clayton@haydel.org]=20
Sent: Monday, November 07, 2011 7:43 PM
To: nanog@nanog.org
Subject: XO blocking individual IP's
I'm hoping someone has had the same experiences, and is further toward a re=
solution on this than I am. About 6 months ago, we noticed that XO was blac=
kholing one specific IP out of a /24. Traces to that IP stopped on XO's ne=
twork, traces to anything else out of the block went through fine.
XO finally admitted that they had a new security system that identifies sus=
picious traffic and automatically blocks the IP for 30 minutes. We had to =
get the IP in question "whitelisted" by their security guys. The traffic w=
as all legit, it was just on a high port # that they considered suspicious.
There have several more cases like this, and XO has not been forthcoming wi=
th information. We're either looking to be exempted from this filtering or =
at least get a detailed description of how the system works. I'm not sure =
how they think this is acceptable from a major transit provider.
Anybody else had similar problems?
Clayton Haydel
